b"Independent Evaluation of the FDIC's Information Security Program-2004\n\n(Report No. 04-046, September 30, 2004)\n\nSummary\n\nAs required by the Federal Information Security Management Act of 2002 (FISMA), we\nhave completed an independent evaluation of the Federal Deposit Insurance Corporation\xe2\x80\x99s\n(FDIC) information security program and practices. FISMA directs federal agencies to\nhave an annual independent evaluation performed of their information security program\nand practices and for agencies to report the results of the evaluation to the Office of\nManagement and Budget (OMB). FISMA states that the independent evaluation is to be\nperformed by the agency Inspector General (IG) or an independent external auditor as\ndetermined by the IG. This is the fourth annual security evaluation that our office has\nperformed pursuant to FISMA and its predecessor legislation, the Government Information\nSecurity Reform Act, which expired in November 2002.\n\nThe objective of the evaluation was to determine the effectiveness of the FDIC\xe2\x80\x99s\ninformation security program and practices, including its compliance with the requirements\nof FISMA and related information security policies, procedures, standards, and guidelines.\nIn summary, we concluded that the Corporation had established and implemented\nmanagement controls that provided limited assurance of adequate security over its\ninformation resources. As a result of focused efforts over the past several years, the FDIC\nhas made considerable progress in improving its information security controls and\npractices. Notably, this is the first annual security evaluation wherein we identified no\nsignificant deficiencies as defined by OMB that warrant consideration as a potential\nmaterial weakness. However, continued management attention was needed in several key\nsecurity control areas to ensure that appropriate risk-based and cost-effective security\ncontrols are designed and in place to secure the FDIC\xe2\x80\x99s information resources and further\nthe Corporation\xe2\x80\x99s security goals and objectives.\n\nWe issued a separate audit report containing responses to specific questions raised by OMB\nin its August 23, 2004 memorandum, FY 2004 Reporting Instructions for the Federal\nInformation Security Management Act.1 Our responses to the OMB questions, together\nwith the independent security evaluation report, satisfy our 2004 FISMA reporting\nrequirements.\n\nSteps to Improve Information Security\n\nSimilar to our prior year security evaluations, our report identified ten steps that the\nCorporation can take in the near term to improve its information security program and\noperations. Generally, the steps focused more on the implementation of the FDIC\xe2\x80\x99s\nsecurity management controls, whereas the steps contained in our prior year evaluation\n\n 1\n     Report entitled Responses to Questions Raised in OMB\xe2\x80\x99s Fiscal Year 2004 FISMA Reporting Instructions,\n     dated September 30, 2004 (Report No. 04-047).\n\n\n                                                       1\n\x0cfocused primarily on the establishment of security management controls. In many cases,\nthe FDIC had already begun to address these steps during our evaluation field work. We\nwill continue to work with the Corporation throughout the coming year to ensure that\nappropriate risk-based and cost-effective IT security controls are in place to secure\ncorporate information resources and further corporate security goals and objectives.\n\nManagement Comments\n\nWe provided FDIC management with a draft report summarizing our FISMA evaluation\nresults on September 3, 2004. We subsequently discussed the report with management\nofficials and made a number of changes to address their concerns and comments. Because\nthe draft report did not contain formal recommendations, no written response was required\nfrom the Corporation.\n\nThis report contains sensitive information regarding information security. Accordingly, we\nhave not made, nor do we intend to make, public release of the specific contents of the\nreport.\n\n\n\n\n                                             2\n\x0c"